ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Macos Spm App Packaging

v1.0.0

Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode.

2· 2.1k·4 current·4 all-time
by@dimillian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (SwiftPM macOS packaging, signing, notarization, appcast) aligns with the included templates and docs. The templates implement expected functionality: building, packaging, codesigning, notarization, and Sparkle appcast generation. Minor mismatch: registry metadata lists no required env vars, but the scripts and reference docs document several optional but sensitive environment variables used for notarization and Sparkle (APP_STORE_CONNECT_*, SPARKLE_PRIVATE_KEY_FILE, APP_IDENTITY).
!
Instruction Scope
SKILL.md and templates instruct running build/package/sign/notarize flows and include scripts that: call git, swift build/test, lipo, codesign, xcrun notarytool, spctl, security import, openssl and write temporary files in /tmp. The scripts will write an App Store Connect key file from an env var, import a generated PKCS#12 into the user's login keychain, and remove temp files—these are beyond simple file scaffolding and modify system state. The SKILL.md does not instruct arbitrary data exfiltration, but the scripts reference environment variables and system commands that are sensitive and can affect the user's keychain and signing identities.
Install Mechanism
No install spec (instruction-only with included template files). No network downloads or remote installers are embedded in the skill. All code is present in the template files so nothing external is fetched by the skill itself.
!
Credentials
The skill metadata declares no required environment variables, yet several templates and the release docs rely on sensitive env vars at runtime: APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, APP_STORE_CONNECT_ISSUER_ID (notarization), SPARKLE_PRIVATE_KEY_FILE / SPARKLE_DOWNLOAD_URL_PREFIX / SPARKLE_RELEASE_VERSION (appcast), APP_IDENTITY, and optional APP_ENTITLEMENTS. These credentials are reasonable for notarization/appcast flows but are sensitive; scripts write API key contents to /tmp and import certificates into the login keychain—actions that should be made explicit to users and not assumed safe.
!
Persistence & Privilege
The skill does not request 'always' or persistent inclusion, but some templates (setup_dev_signing.sh) create certificates and import them into the user's login keychain (security import). That modifies system state and can create persistent signing identities. sign-and-notarize.sh uses the App Store Connect key written into /tmp for notarytool operations. These behaviors require the user's explicit consent and careful review because they affect system-level trust and signing configuration.
What to consider before installing
This skill appears to provide legitimate macOS SwiftPM packaging workflows, but several scripts perform sensitive actions. Before using/installing: 1) Review the scripts line-by-line (especially setup_dev_signing.sh and sign-and-notarize.sh). 2) Do not paste private keys or App Store Connect key material into an agent or into environment variables unless you trust the source; the scripts write keys to /tmp and call notarization APIs. 3) Be aware setup_dev_signing.sh will create and import a certificate into your login keychain—only run it if you understand and accept that change, and prefer to create/import certs manually in Keychain Access. 4) Run these scripts in an isolated/test environment (or VM) first. 5) Prefer obtaining this tooling from a repository with a known maintainer, commit history, and checksums; lack of a homepage/source URL is an additional risk. If you provide the App Store Connect/P8 key or Sparkle private key, ensure you rotate or audit use afterward. Additional information that would increase confidence: a public source repo, maintainer identity, release signatures/checksums, and an explicit manifest of which env vars are required vs optional.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bbq374p2g93d50r3cnhaz57yt7vr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments